feat(profile): general update.
This commit is contained in:
Alexandre Pujol
parent
a99fbaa0be
commit
c7181ecadf
32 changed files with 152 additions and 158 deletions
|
|
@ -18,19 +18,18 @@ profile apt-cdrom @{exec_path} flags=(complain) {
|
|||
@{exec_path} mr,
|
||||
|
||||
@{bin}/dpkg rPx -> child-dpkg,
|
||||
|
||||
@{bin}/mount rCx -> mount,
|
||||
@{bin}/umount rCx -> umount,
|
||||
|
||||
/etc/fstab r,
|
||||
|
||||
# Are all of these needed? (#FIXME#)
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/*/devices/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/*/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
# @{run}/udev/data/* r,
|
||||
/etc/apt/sources.list{,.new} rw,
|
||||
/etc/apt/sources.list~ w,
|
||||
|
||||
/var/lib/apt/lists/** rw,
|
||||
|
||||
/var/lib/apt/cdroms.list{,.new} rw,
|
||||
/var/lib/apt/cdroms.list~ w,
|
||||
|
||||
# For cd-roms
|
||||
/media/cdrom@{int}/ r,
|
||||
|
|
@ -46,16 +45,15 @@ profile apt-cdrom @{exec_path} flags=(complain) {
|
|||
@{MOUNTS}/dists/**/binary-*/Packages{,.gz} r,
|
||||
@{MOUNTS}/dists/**/i18n/Translation-en{,.gz} r,
|
||||
|
||||
/var/lib/apt/lists/** rw,
|
||||
# Are all of these needed? (#FIXME#)
|
||||
@{sys}/bus/ r,
|
||||
@{sys}/bus/*/devices/ r,
|
||||
@{sys}/class/ r,
|
||||
@{sys}/class/*/ r,
|
||||
@{sys}/devices/**/uevent r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
||||
/var/lib/apt/cdroms.list{,.new} rw,
|
||||
/var/lib/apt/cdroms.list~ w,
|
||||
|
||||
/etc/apt/sources.list{,.new} rw,
|
||||
/etc/apt/sources.list~ w,
|
||||
|
||||
profile mount flags=(complain) {
|
||||
include <abstractions/base>
|
||||
|
||||
|
|
|
|||
|
|
@ -64,7 +64,7 @@ profile dbus-session flags=(attach_disconnected) {
|
|||
@{sys}/kernel/security/apparmor/.access rw,
|
||||
@{sys}/kernel/security/apparmor/features/dbus/mask r,
|
||||
@{sys}/module/apparmor/parameters/enabled r,
|
||||
|
||||
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
owner @{PROC}/@{pid}/attr/apparmor/current r,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
|
|
|
|||
|
|
@ -62,13 +62,9 @@ profile child-modprobe-nvidia flags=(attach_disconnected) {
|
|||
include <abstractions/app/kmod>
|
||||
|
||||
capability mknod,
|
||||
# capability sys_module,
|
||||
|
||||
/etc/nvidia/{current,legacy*,tesla*}/*.conf r,
|
||||
|
||||
# @{sys}/module/ipmi_devintf/initstate r,
|
||||
# @{sys}/module/ipmi_msghandler/initstate r,
|
||||
# @{sys}/module/{drm,nvidia}/initstate r,
|
||||
@{sys}/module/compression r,
|
||||
|
||||
deny @{HOME}/.steam/** r,
|
||||
|
|
|
|||
|
|
@ -21,7 +21,7 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
capability sys_nice,
|
||||
capability sys_ptrace,
|
||||
|
||||
ptrace (read) peer=unconfined,
|
||||
ptrace read peer=unconfined,
|
||||
|
||||
#aa:dbus own bus=system name=org.freedesktop.Accounts
|
||||
|
||||
|
|
@ -58,24 +58,23 @@ profile accounts-daemon @{exec_path} flags=(attach_disconnected) {
|
|||
/etc/shells r,
|
||||
/etc/sysconfig/displaymanager r,
|
||||
|
||||
/var/log/wtmp r,
|
||||
|
||||
owner /var/lib/AccountsService/ r,
|
||||
owner /var/lib/AccountsService/** rw,
|
||||
|
||||
@{HOME}/ r,
|
||||
owner @{HOME}/.pam_environment r,
|
||||
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/loginuid rw,
|
||||
@{PROC}/@{pids}/loginuid r,
|
||||
@{PROC}/@{pids}/cmdline r,
|
||||
owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw,
|
||||
|
||||
@{PROC}/@{pid}/cmdline r,
|
||||
@{PROC}/@{pid}/loginuid r,
|
||||
@{PROC}/1/environ r,
|
||||
@{PROC}/cmdline r,
|
||||
@{PROC}/sys/kernel/osrelease r,
|
||||
|
||||
# wtmp.d ?
|
||||
/var/log/wtmp r,
|
||||
|
||||
owner @{tmp}/gnome-control-center-user-icon-@{rand6} rw,
|
||||
owner @{PROC}/@{pid}/fd/ r,
|
||||
owner @{PROC}/@{pid}/loginuid rw,
|
||||
|
||||
include if exists <local/accounts-daemon>
|
||||
}
|
||||
|
|
|
|||
|
|
@ -32,14 +32,14 @@ profile xdg-screensaver @{exec_path} {
|
|||
@{bin}/xset rPx,
|
||||
@{bin}/hostname rix,
|
||||
|
||||
/dev/dri/card@{int} rw,
|
||||
|
||||
owner @{HOME}/ r,
|
||||
owner @{HOME}/.Xauthority r,
|
||||
owner @{tmp}/xauth-@{int}-_[0-9] r,
|
||||
|
||||
owner @{run}/user/@{uid}/ r,
|
||||
|
||||
/dev/dri/card@{int} rw,
|
||||
|
||||
include if exists <local/xdg-screensaver>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -39,7 +39,7 @@ profile gnome-control-center-goa-helper @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/bwrap rPUx,
|
||||
@{bin}/bwrap rCx -> bwrap,
|
||||
|
||||
@{lib}/{,@{multiarch}/}webkit{2,}gtk-*/WebKitNetworkProcess rix,
|
||||
|
||||
|
|
@ -48,9 +48,11 @@ profile gnome-control-center-goa-helper @{exec_path} {
|
|||
|
||||
owner @{user_config_dirs}/goa-1.0/accounts.conf r,
|
||||
|
||||
owner @{user_cache_dirs}/gnome-control-center-goa-helper/{,**} rwl,
|
||||
owner @{user_cache_dirs}/gnome-control-center-goa-helper/ rw,
|
||||
owner @{user_cache_dirs}/gnome-control-center-goa-helper/** rwl,
|
||||
|
||||
owner @{user_share_dirs}/gnome-control-center-goa-helper/{,**} rwk,
|
||||
owner @{user_share_dirs}/gnome-control-center-goa-helper/ rw,
|
||||
owner @{user_share_dirs}/gnome-control-center-goa-helper/** rwk,
|
||||
owner @{user_share_dirs}/webkitgtk/{,**} rw,
|
||||
owner @{user_share_dirs}/webkitgtk/localstorage/{,**} rwk,
|
||||
|
||||
|
|
@ -63,6 +65,15 @@ profile gnome-control-center-goa-helper @{exec_path} {
|
|||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/cmdline r,
|
||||
|
||||
profile bwrap flags=(attach_disconnected,complain) {
|
||||
include <abstractions/base>
|
||||
include <abstractions/common/bwrap>
|
||||
|
||||
@{bin}/bwrap mr,
|
||||
|
||||
include if exists <local/gnome-control-center-goa-helper_bwrap>
|
||||
}
|
||||
|
||||
include if exists <local/gnome-control-center-goa-helper>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -33,6 +33,8 @@ profile gnome-weather @{exec_path} {
|
|||
owner @{PROC}/@{pid}/stat r,
|
||||
owner @{PROC}/@{pid}/task/@{tid}/stat r,
|
||||
|
||||
deny owner @{user_share_dirs}/gvfs-metadata/* r,
|
||||
|
||||
include if exists <local/gnome-weather>
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -31,38 +31,14 @@ profile gsd-media-keys @{exec_path} flags=(attach_disconnected) {
|
|||
network netlink raw,
|
||||
|
||||
#aa:dbus own bus=session name=org.gnome.SettingsDaemon.MediaKeys
|
||||
#aa:dbus talk bus=session name=org.gnome.SettingsDaemon.Rfkill label=gsd-rfkill
|
||||
#aa:dbus talk bus=session name=org.gnome.Shell label=gnome-shell
|
||||
|
||||
dbus send bus=system path=/org/freedesktop/login1
|
||||
interface=org.freedesktop.login1.Manager
|
||||
member=PowerOff
|
||||
peer=(name=:*, label=systemd-logind),
|
||||
|
||||
dbus send bus=session path=/org/gnome/Shell
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
dbus send bus=session path=/org/gnome/Shell
|
||||
interface=org.gnome.Shell
|
||||
member={GrabAccelerators,UngrabAccelerators}
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
dbus receive bus=session path=/org/gnome/Shell
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member={GetAll,PropertiesChanged}
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
dbus receive bus=session path=/org/gnome/Shell
|
||||
interface=org.gnome.Shell
|
||||
member=AcceleratorActivated
|
||||
peer=(name=:*, label=gnome-shell),
|
||||
|
||||
dbus send bus=session path=/org/gnome/SettingsDaemon/Rfkill
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=GetAll
|
||||
peer=(name=:*, label=gsd-rfkill),
|
||||
dbus receive bus=session path=/org/gnome/SettingsDaemon/Rfkill
|
||||
interface=org.freedesktop.DBus.Properties
|
||||
member=PropertiesChanged
|
||||
peer=(name=:*, label=gsd-rfkill),
|
||||
|
||||
dbus send bus=session path=/
|
||||
interface=org.freedesktop.DBus
|
||||
member=ListNames
|
||||
|
|
|
|||
|
|
@ -32,6 +32,23 @@ profile gpg @{exec_path} {
|
|||
|
||||
/etc/inputrc r,
|
||||
|
||||
#aa:only pacman
|
||||
/etc/pacman.d/gnupg/gpg.conf r,
|
||||
/etc/pacman.d/gnupg/pubring.gpg r,
|
||||
/etc/pacman.d/gnupg/trustdb.gpg r,
|
||||
|
||||
#aa:only apt
|
||||
owner /etc/apt/keyrings/ rw,
|
||||
owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,
|
||||
|
||||
owner /var/lib/*/{,.}gnupg/ rw,
|
||||
owner /var/lib/*/{,.}gnupg/** rwkl -> /var/lib/*/{,.}gnupg/**,
|
||||
|
||||
# TODO: Remove after zypper profile is created
|
||||
#aa:only zypper
|
||||
owner /var/tmp/zypp.@{rand6}/ rw,
|
||||
owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**,
|
||||
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/ rw,
|
||||
owner @{HOME}/@{XDG_GPG_DIR}/** rwkl -> @{HOME}/@{XDG_GPG_DIR}/**,
|
||||
|
||||
|
|
@ -45,26 +62,6 @@ profile gpg @{exec_path} {
|
|||
owner @{user_share_dirs}/torbrowser/gnupg_homedir/ rw,
|
||||
owner @{user_share_dirs}/torbrowser/gnupg_homedir/** rwkl -> @{user_share_dirs}/torbrowser/gnupg_homedir/**,
|
||||
|
||||
#aa:only apt
|
||||
owner /etc/apt/keyrings/ rw,
|
||||
owner /etc/apt/keyrings/** rwkl -> /etc/apt/keyrings/**,
|
||||
|
||||
#aa:only pacman
|
||||
/etc/pacman.d/gnupg/gpg.conf r,
|
||||
/etc/pacman.d/gnupg/pubring.gpg r,
|
||||
/etc/pacman.d/gnupg/trustdb.gpg r,
|
||||
|
||||
owner /var/lib/*/gnupg/ rw,
|
||||
owner /var/lib/*/gnupg/** rwkl -> /var/lib/*/gnupg/**,
|
||||
|
||||
owner /var/lib/*/.gnupg/ rw,
|
||||
owner /var/lib/*/.gnupg/** rwkl -> /var/lib/*/.gnupg/**,
|
||||
|
||||
# TODO: Remove after zypper profile is created
|
||||
#aa:only zypper
|
||||
owner /var/tmp/zypp.@{rand6}/ rw,
|
||||
owner /var/tmp/zypp.@{rand6}/** rwkl -> /var/tmp/zypp.@{rand6}/**,
|
||||
|
||||
#aa:exclude ubuntu
|
||||
owner @{tmp}/ostree-gpg-@{rand6}/ r,
|
||||
owner @{tmp}/ostree-gpg-@{rand6}/** rwkl -> /tmp/ostree-gpg-@{rand6}/**,
|
||||
|
|
|
|||
|
|
@ -28,12 +28,12 @@ profile arch-audit @{exec_path} {
|
|||
|
||||
/var/lib/pacman/local/{,**} r,
|
||||
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
@{sys}/cgroup/cpu,cpuacct/user.slice/cpu.cfs_quota_us r,
|
||||
@{sys}/fs/cgroup/cpu,cpuacct/cpu.cfs_quota_us r,
|
||||
|
||||
owner @{PROC}/@{pid}/cgroup r,
|
||||
owner @{PROC}/@{pid}/mountinfo r,
|
||||
|
||||
/dev/pts/@{int} rw,
|
||||
|
||||
include if exists <local/arch-audit>
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/gpg{,2} rCx -> gpg,
|
||||
@{bin}/gpgconf rCx -> gpg,
|
||||
@{bin}/gpgsm rCx -> gpg,
|
||||
|
||||
|
||||
# Pacman hooks & install scripts
|
||||
@{sh_path} rix,
|
||||
@{coreutils_path} rix,
|
||||
|
|
@ -64,7 +64,6 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
|
|||
@{bin}/gdk-pixbuf-query-loaders rPx,
|
||||
@{bin}/getent rix,
|
||||
@{bin}/gettext rix,
|
||||
@{bin}/ghc-pkg{,-*} rPx,
|
||||
@{bin}/gio-querymodules rPx,
|
||||
@{bin}/glib-compile-schemas rPx,
|
||||
@{bin}/groupadd rPx,
|
||||
|
|
@ -118,9 +117,7 @@ profile pacman @{exec_path} flags=(attach_disconnected) {
|
|||
/var/** rwlk -> /var/**,
|
||||
|
||||
# Read packages files
|
||||
@{user_pkg_dirs}/ r,
|
||||
@{user_pkg_dirs}/**/ r,
|
||||
@{user_pkg_dirs}/**.pkg.tar.zst{,.sig} r,
|
||||
@{user_pkg_dirs}/{,**} r,
|
||||
|
||||
owner /var/lib/pacman/{,**} rwl,
|
||||
owner @{tmp}/alpm_@{rand6}/{,**} rw,
|
||||
|
|
|
|||
|
|
@ -23,8 +23,7 @@ profile ssh @{exec_path} {
|
|||
|
||||
@{exec_path} mrix,
|
||||
|
||||
@{bin}/{,b,d,rb}ash rix,
|
||||
@{bin}/{c,k,tc,z}sh rix,
|
||||
@{bin}/@{shells} rUx,
|
||||
|
||||
@{etc_ro}/ssh/ssh_config r,
|
||||
@{etc_ro}/ssh/ssh_config.d/{,*} r,
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@ profile ssh-agent-launch @{exec_path} {
|
|||
|
||||
@{exec_path} mr,
|
||||
|
||||
@{bin}/{,z,ba,da}sh rix,
|
||||
@{sh_path} rix,
|
||||
@{bin}/dbus-update-activation-environment rCx -> dbus,
|
||||
@{bin}/getopt rix,
|
||||
@{bin}/grep rix,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue